可能重复:
我如何安全地编译其他人的 LaTeX 文档?
我有一台正在渲染 LaTeX 文档的 Linux 服务器,我想禁用 LaTeX 对系统文件(如/etc/passwd
等)的访问。无论如何,这可能吗?
答案1
你想要在 texmf.cnf 文件中设置“paranoid”
% Allow TeX \openin, \openout, or \input on filenames starting with `.'
% (e.g., .rhosts) or outside the current tree (e.g., /etc/passwd)?
% a (any) : any file can be opened.
% r (restricted) : disallow opening "dotfiles".
% p (paranoid) : as `r' and disallow going to parent directories, and
% restrict absolute paths to be under $TEXMFOUTPUT.
openout_any = p
openin_any = a
答案2
您还应该使用 TeXLive 的默认设置:
% Enable system commands via \write18{...}. When enabled fully (set to
% t), obviously insecure. When enabled partially (set to p), only the
% commands listed in shell_escape_commands are allowed. Although this
% is not fully secure either, it is much better, and so useful that we
% enable it for everything but bare tex.
shell_escape = p
% No spaces in this command list.
%
% The programs listed here are as safe as any we know: they either do
% not write any output files, respect openout_any, or have hard-coded
% restrictions similar or higher to openout_any=p. They also have no
% features to invoke arbitrary other programs, and no known exploitable
% bugs. All to the best of our knowledge. They also have practical use
% for being called from TeX.
%
shell_escape_commands = \
bibtex,bibtex8,\
kpsewhich,\
makeindex,\
repstopdf,\